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REMARKS 

Applicant respectfully requests that the above amendments be entered in the 
instant application prior to examination on the merits. Care has been taken to avoid the 
introduction of new matter. An early allowance is respectfully requested. 



Respectfully submitted, 



AV. Edward Ramage/ 

W. Edward Ramage, Reg. No. 50,810 
Baker Donelson Bearman Caldwell & 
Berkowitz, PC 

211 Commerce Street, Suite 1000 
Nashville, TN 37201 
615-726-5771 
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ACCESS CONTROL SYSTEM FOR INFORMATION SERVICES BASED ON 
A HARDWARE AND SOFTWARE SIGNATURE OF A REQUESTING 
DEVICE 

5 

Field of the Invention 

The present invention Invention is related to the identification and authorization 
for service access for computational devices or devices with computational resources (a 
"Device"). In particular, the present invention Invention is preferably applicable to 
10 sensitive and confidential information access, such as bank account information access 
by means of the Internet, secure access to web pages for commercial transactions (e- 
commerce), corporate Intranet access to confidential information, etc. 



PRIOR ART Background of the Invention 

15 The prior art describes several security related devices and configurations 

applicable to access and operation through the Internet. Security needs have to be 
constantly revised in face of the increasing sophistication of resources used to bypass 
security systems and fraud electronic access to Internet banking and e-commerce. In 
countries such as the United States of America, the high efforts and investments made 

20 to thwart criminal actions performed by hackers precisely illustrate the importance of 
guaranteeing user-friendly secure online transactions. Many online and Internet 
operations use sophisticated security procedures which are based on high levels of 
complexity in an attempt to guarantee the security in accessing online services which 
involve private or confidential information. However, this increased complexity results 

25 in difficulties posed to legitimate users in accessing such services. This, in its turn, 
results in a lower-than-optimum level of adherence, by users, to existing forms of 
online services. 
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Other apparently more rigorous security schemas, such as those offered on 
online banking websites are examples of what was explained above. Those services 
behave as if only the user could visualize and/or access the service. Authentication 
processes based solely on the user (i.e. user/password) are susceptible to password 
5 tracking. The univocal correspondence between a user and his password eases fraud, 
either by password cloning or by cloning accessed webpages. 

As an example of the technique, the Irish invention no. 83221 refers to a means 
of uniquely identifying computers and systems. The invention Invention , on the other 
hand, is able to create signatures that identify a device using only logical information 

10 and, jointly with the univocal framework and related processes that constitute it, it 
proposes a security system able to complement or substitute traditional authentication 
procedures. Although signatures or the idea of using extended positivation schema for 
computational devices have existed for a long time, the invention's Invention's 
uniqueness relies on its process, i.e., its client/server architecture conceived to 

15 complement or substitute usual authentication systems. 

Therefore, what is claimed in document no. 83221 involves the creation of an 
unique signature for a device (where a device stands for a processor or a processor set 
composing a network) based on response time statistical distribution and other 
measurements for physical identification of the devices, used for purposes that may or 

20 may not be applicable for conventional authentication schemes. The identification 
process proposed in this document also uses some logical techniques, however, unlike 
the invention Invention , these techniques are used as a complement. The logical 
techniques proposed in the document 83221 do suffice for the creation of a unique 
identification for a device. Although it is possible to create or compliment an 
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authentication procedure from the process described in document 83221, that is not its 
intention, and, moreover, its contents do not consider, directly, the creation of a similar 
process. 

This is also what happens with Microsoft's publication titled: PRODUCT 
5 ACTIVATION FOR WINDOWS XP-TECHNICAL MARKET BULLETIN. This 
publication describes validation methods of Windows XP computer program that aim 
to avoid illegal copies (piracy) or even fraudulent product purchase. The configurations 
proposed for these methods also have a univocal characteristic, of some complexity for 
the ordinary user, who would be inhibited to practice fraudulent actions. 

10 

SUMMARY Summary of the Invention 

The present invention Invention is a technology used to substantially improve the 
security involved in an authentication process to access an Internet page, an Intranet 
page, or any other type of computer server or computer-based service that requires 

15 secure authentication. Any of these services will be cited hereinafter as a "SERVICE". 
The authentication process includes a process coupled to the hardware and software 
configuration profile of a device, resulting in a unique signature. This signature will be 
referenced from now on as "SIGNATURE". 

Whenever a user tries to access a SERVICE that is using the invention Invention 

20 for authentication, the SIGNATURE resulting from the configuration of the device 

from where the user is attempting to use the SERVICE is verified and compared to a 

list of authorized device SIGNATURES. If the current device's SIGNATURE matches 

one of the previously registered SIGNATURES, the user is allowed to access the 

SERVICE. If not, the user will either be directed to extended positivation or will be 

25 denied access to the SERVICE, depending on the previously chosen security options. 
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In case the user is submitted to extended positivation, if his identification is successful, 
access to the SERVICE will be granted and the user will be given the option to include 
the present device in the list of authorized SIGNATURES for his account. If the 
identification is not successful, the user will not be allowed to access the SERVICE. 
5 The invention Invention can be used as a complementary authentication process 

to another existing authentication process (i.e an authentication method based on 
user/password pair) as to improve its security level. This may be used, typically, to 
access less sensitive applications, such logging onto a web portal or ISP. 

It is important to stiess that the invention Invention is capable of performing this 
10 identification without need for any other hardware or software components, such as 
smart cards, identification cards, etc. Therefore, the invention Invention allows the 
recognition of a device SIGNATURE simply from its usual hardware and software 
components. 

This document will offer a more in-depth description of possible applications of 
15 the invention Invention , however, any application of same described herein is offered 
as an example, and should not be construed as a limitation to the scope of the claims. 



DESCRIPTION OF THE DIAGR.\MS Brief Description of the Drawings 

Figure 1 is a diagram that illustrates the basic operation of one exemplary 
20 embodiment of the present invention Invention . 

Figure 2 is a diagram that shows the process of SIGNATURE deletion. 

Figure 3 is a diagram that represents the deactivation of the invention's 

Invention's security system triggered by a user. 
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DETAILED DESCRIPTION OF THE INVENTION Detailed Description of 
Exemplary Embodiments 

System Architecture 

The present invention Invention was conceived to operate in a distributed 
5 computational environment that can be implemented by means of the Internet or in an 
internal computational network. It is composed of three basic components: 

a) A Software Agent; 

b) An Authentication Server; and 

c) A network-available SERVICE which requires authenticationi[[;]] 

10 The Software Agent is a program that can discover hardware and software asset 

information from a Device. It is a key component to obtain the data that will compose 
the Device's SIGNATURE. The Software Agent needs to be installed or downloaded 
and installed (preferably by using web distribution techniques that are able to 
download and execute a program in a single step, such as, ActiveX or a browser plug- 

15 in), by means of the Internet or an internal network, in order to start the SIGNATURE 
identification process. 

The Authentication Server is a server that receives a SIGNATURE from a 
Software Agent, compares it to a set of authorized SIGNATURES and authorizes or 
not access to a SERVICE. The Authentication Server needs to be connected by means 

20 of an internal network or the Internet to the device submitted to SIGNATURE 
recognition, in order to allow the identification process to work properly. It is, 
therefore, an online authentication system. 

The Authentication Server has both an interactive and a storage function. It 
interacts with the Software Agent and the SERVICE providing access authentication. 
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Besides, it works as a repository of the registered SIGNATURES as much as storing 
the access attempt history (successful or not) of each SERVICE user. 

The SERVICE is an Internet page, Intranet page or other type of computational 
server or computational service that requires secure authentication. The invention 
5 Invention complements other authentication methods or security procedures already 
utilized by the SERVICE, as a pre-identification. For example, it may be used to deny 
the use of the SERVICE from a device whose SIGNATURE is not registered and 
recognized, even though another preidentification process could be successfully 
accomplished by means of other coexistent authentication processes (for instance, deny 
10 access even if user/password pair are correct). 

Operation 

The operation and method of the present invention Invention is illustrated by the 
steps described below: 

1) A user tries to access a SERVICE submitted to the invention's Invention's 
15 authentication. As the invention Invention can coexist with other authentication 
processes, the user may be submitted to other authentication or complementary security 
procedures, as a pre-identification, whenever necessary. Typical pre-identification 
processes are: username/password pair, verifying authorized IP address ranges, 
answering specific questions, systems that protect against "software robots", etc. 
20 2) If the user has not registered any device SIGNATURE before the invention 

Invention yet, the user will be led to a web page or software window that explains how 
the invention Invention works and tells that the user will be submitted to a registering 
process immediately afterwards. 

a) This step can be implemented in such a way to be optional, in case the 
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SERVICE provider wants to offer the user the option of accessing the SERVICE using 
the invention Invention or not. In this case, the user may also take the initiative of 
deactivating or reactivating the invention Invention usage when desired. In order to 
reactivate the invention Invention usage, the user must identify themselves in some 
5 way (by means of usemame/password pair, answering questions, etc). It is 
recommended to allow the invention's Invention's deactivation only from the device 
that has the oldest SIGNATURE registered in the account, since this SIGNATURE is 
generally considered to be the most trustable one. 

3) Once the user agrees to use the invention Invention , he or she diey must allow 
10 the SOFTWARE AGENT download and execution on his device, unless this has 

already occurred. This step must be repeated for each device that needs to be submitted 
to the invention's Invention's authentication process. 

4) Once the SOFTWARE AGENT is installed on the user's device, the invention 
Invention will identify its SIGNATURE and submit it for registration with the 

15 SERVICE. Typically, the first registration does not require rigorous authentication. 

The SIGNATURE is made from data sampled from the device's hardware and 
software components. The SIGNATURE will identify the device without the need of 
any supplementary identification device, such as a smart card. 

The device's identification is done by detecting and identifying essential 
20 hardware and software components of the device. The invention Invention allows that 
some of these components undergo incremental changes without modifying the 
device's SIGNATURE. However, if the device has undergone deep modifications, its 
SIGNATURE will be changed. This means that the device will be considered as a new 
device and will not be recognized by the SERVICES accessed before then. In this case. 
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the user has to register the new device SIGNATURE. It is also important to clarify that 
changes of components that are not considered to be essential may be done without 
affecting the SIGNATURE. 

The SIGNATURE is composed of a group of information hashes extracted from 
5 hardware and software components. These hashes cannot be reversed to recompose the 
information used to make the SIGNATURE, preserving, this way, user privacy and 
security. It is recommendable that, at each transaction, the hashes be grouped in a 
different way and submitted to several levels of cryptography. This procedure protects 
the system even more against anyone who attempts to intercept the communication 

10 between the user device and the Authentication Server and tries, by simply reproducing 
the transmitted data, to pretend to be the original device. 

5) If the user tries to access the SERVICE from a device that was not 
previously registered (provided that there was at least one device previously 
registered), the invention Invention will allow the access only after applying an 

15 extended positivation (i.e. specific questions besides the usemame/pas sword pair). If 
the answers are correct, the user will be allowed to access the SERVICE, with the 
option to register (or not) the present device's SIGNATURE, according to the 
configuration previously chosen. If the identification fails, the user will not be allowed 
to access the SERVICE. 

20 a) Optionally, in case the user has already reached a determined quantity 

of SIGNATURES associated to his account (defined in accordance with the 
implementation needs), he can choose whether the number of SIGNATURES should 
be limited to this quantity or not. Alternatively, it is possible to limit the SIGNATURE 
set in a way to create a closed group of devices that can access the SERVICE by means 
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of a given account. These options can be implemented in a mandatory way, that is, the 
user will be able to register SIGNATURES coupled to his account until a maximum 
number or only to devices that belong to a specific group. 

b) Even in the case that is not allowed to register additional 
5 SIGNATURES, it is possible, even so to, optionally, access the SERVICE from a non- 
registered device by means of extended positivation. Anyway, the SIGNATURE of this 
device CANNOT be added to the existent SIGNATURE set. In this case, the 
SERVICE access from this device is performed strictly as a "detached" and temporary 
operation. 

10 c) Optionally, it is also possible to specify a maximum number of times a 

SIGNATURE can be present in SIGNATURE lists of different SERVICE users. This 
maximum number can even be zero. In this situation, the common device will be 
considered to be a "malicious" one and will be included in a denial list for devices that 
are not authorized to authenticate before the invention Invention . 

15 6) Whenever necessary, the user may delete the SIGNATURES registered in his 

account. It is recommended that the SIGNATURE deletion process be always done 
from a device considered to be more secure and trustable, which is, typically, a device 
registered in the account before the one to be deleted. This way, the user can only 
delete a given SIGNATURE if it is using a device whose SIGNATURE had been 

20 registered BEFORE the SIGNATURE being deleted. It is also recommendable that the 
oldest SIGNATURE can be deleted only from the device it was originally created. 

7) Once the user keeps accessing the page regularly by means of the 
invention Invention , it will be able to provide past information about all access or 
access attempts performed upon the user account. This historical information will 
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remain stored even if the user decides to deactivate, even though temporarily, the usage 
of the system of the present invention Invention . 
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